Review 5 Flashcards Preview

CISA 3.0 - ISACA > Review 5 > Flashcards

Flashcards in Review 5 Deck (18)
Loading flashcards...
1
Q

An IS auditor, performing a review of an application’s controls discovers a weakness in system software, which could materially impact the application. The IS auditor should:

A) Disregard these control weaknesses as a system software review is beyond the scope of this review.
B) Conduct a detailed system software review and report the control weaknesses.
C) Include in the report a statement that the audit was limited to a review of the application’s controls.
D) Review the system software controls as relevant and recommend a detailed system software review.

A

D) Review the system software controls as relevant and recommend a detailed system software review.

2
Q

The reason for having controls in an IS environment:

A) remains unchanged from a manual environment, but the implemented control features may be different.
B) changes from a manual environment, therefore the implemented control features may be different.
C) changes from a manual environment, but the implemented control features will be the same.
D) remains unchanged from a manual environment and the implemented control features will also be the same.

A

A) remains unchanged from a manual environment, but the implemented control features may be different.

3
Q

Which of the following types of risks assumes an absence of compensating controls in the area being reviewed?

A) Control risk
B) Detection risk
C) Inherent risk
D) Sampling risk

A

C) Inherent risk

4
Q

An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation?

A) Test data
B) Parallel simulation
C) Integrated test facility
D) Embedded audit module

A

A) Test data

5
Q

The PRIMARY purpose of compliance tests is to verify whether:

A) controls are implemented as prescribed.
B) documentation is accurate and current.
C) access to users is provided as specified.
D) data validation procedures are provided.

A

A) controls are implemented as prescribed.

6
Q

Which of the following BEST describes the early stages of an IS audit?

A) Observing key organizational facilities.
B) Assessing the IS environment.
C) Understanding business process and environment applicable to the review.
D) Reviewing prior IS audit reports.

A

C) Understanding business process and environment applicable to the review.

7
Q

The document used by the top management of organizations to delegate authority to the IS audit function is the:

A) long-term audit plan.
B) audit charter.
C) audit planning methodology.
D) steering committee minutes.

A

B) audit charter.

8
Q

Before reporting results of an audit to senior management, an IS auditor should:

A) Confirm the findings with auditees.
B) Prepare an executive summary and send it to audit management.
C) Define recommendations and present the findings to the audit committee.
D) Obtain agreement from the auditee on findings and actions to be taken.

A

D) Obtain agreement from the auditee on findings and actions to be taken.

9
Q

While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on?

A) Business processes
B) Critical IT applications
C) Corporate objectives
D) Business strategies

A

A) Business processes

10
Q

Which of the following is a substantive audit test?

A) Verifying that a management check has been performed regularly
B) Observing that user IDs and passwords are required to sign on the computer
C) Reviewing reports listing short shipments of goods received
D) Reviewing an aged trial balance of accounts receivable

A

D) Reviewing an aged trial balance of accounts receivable

11
Q

Which of the following tasks is performed by the same person in a well controlled information processing facility/computer center?

A) Security administration and management
B) Computer operations and system development
C) System development and change management
D) System development and systems maintenance

A

D) System development and systems maintenance

12
Q

Where adequate segregation of duties between operations and programming are not achievable, the IS auditor should look for:

A) compensating controls.
B) administrative controls.
C) corrective controls.
D) access controls.

A

A) compensating controls.

13
Q

Which of the following would be included in an IS strategic plan?

A) Specifications for planned hardware purchases
B) Analysis of future business objectives
C) Target dates for development projects
D) Annual budgetary targets for the IS department

A

B) Analysis of future business objectives

14
Q

The MOST important responsibility of a data security officer in an organization is:

A) recommending and monitoring data security policies. B) promoting security awareness within the organization. C) establishing procedures for IT security policies.
D) administering physical and logical access controls.

A

A) recommending and monitoring data security policies.

15
Q

Which of the following BEST describes an IT department’s strategic planning process?

A) The IT department will have either short-range or long-range plans depending on the organization?s broader plans and objectives.
B) The IT department?s strategic plan must be time and project oriented, but not so detailed as to address and help determine priorities to meet business needs
C) Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
D) Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.

A

C) Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.

16
Q

When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?

A) Origination
B) Authorization
C) Recording
D)Correction

A

B) Authorization

17
Q

In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend?

A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications

A

C. Procedures that verify that only approved program changes are implemented

18
Q

An IT steering committee would MOST likely perform which of the following functions?

A. Placement of a purchase order with the approved IT vendor
B. Installation of systems software and application software
C. Provide liaison between IT department and user department
D. Interview staff for the IT department

A

C. Provide liaison between IT department and user department